ldapsearch complains about DN having invalid syntax, but same DN works in JXplorer
When using ldapsearch as follows: ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b -s base I get the following after providing my password: ldap_bind: Invalid DN syntax (34) additional info: invalid DN However, if I use this same DN in JXplorer, I am able to authenticate and login just fine. I have checked the DN numerous times and see nothing obviously wrong. I've retyped things from scratch, removed various options, etc. I commented out all entries in ldap.conf, and my current slapd.conf is set up shown on the bottom page. What am I missing? Thanks in advance for any help! ucdata-path./ucdata include./schema/core.schema include./schema/cosine.schema include ./schema/inetorgperson.schema pidfile./run/slapd.pid argsfile./run/slapd.args # loglevel none IT DOES NOT SEEM TO LIKE loglevel for some reason access to attrs=userPassword by anonymous auth by self write by * none access to * by self write by * none databasebdb suffixdc=example,dc=com rootdncn=Manager,dc=example,dc=com rootpwsecret directory./data indexobjectClass,cneq
Re: Asynchronicity
William Ahern wrote: Excepting DNS, is the latest release of OpenLDAP fully asynchronous-capable, even with TLS? Perusing the source code I can't find any obvious places other than DNS where things might block, but it's harder to prove the negative. I remember many years ago this wasn't the case, and I had to thread the connect phase, but the ChangeLog suggests that things have changed considerably. Connect has been asynch for years, though an option to configure the connect timeout is a more recent addition. The only significant thing left that I can think of that's still only synchronous is ldap_sasl_interactive_bind_s(), and I have some plans to fix that. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
PPolicy error.
Hi, I am using ppolicy overlay to enforce password policies. Following is my ppolicy configuration/ldif. dn: cn=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: policies pwdAttribute: userPassword pwdMaxAge: 7516800 pwdExpireWarning: 432000 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE while changing password on first login I got following error. WARNING: Your password has expired. You must change your password now and login again! Changing password for user prasad. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password is too young to change passwd: Permission denied Connection to myhost closed. Thanks in advance Meghanand N Acharekar.
Re: PPolicy error.
Am 11.10.2010 14:41, schrieb Meghanand Acharekar: Hi, I am using ppolicy overlay to enforce password policies. Following is my ppolicy configuration/ldif. dn: cn=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: policies pwdAttribute: userPassword pwdMaxAge: 7516800 pwdExpireWarning: 432000 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE while changing password on first login I got following error. WARNING: Your password has expired. You must change your password now and login again! Changing password for user prasad. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password is too young to change passwd: Permission denied Connection to myhost closed. Thanks in advance Meghanand N Acharekar. Hi, when you set 'pwdCheckQuality: 1', you require a module to actually check the quality of the password. See slapo-ppolicy(5) and look at the pwdPolicyChecker/pwdCheckModule parts. Regards, Christian Manal
Re: PPolicy error.
On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal moen...@informatik.uni-bremen.de wrote: Am 11.10.2010 14:41, schrieb Meghanand Acharekar: Hi, I am using ppolicy overlay to enforce password policies. Following is my ppolicy configuration/ldif. dn: cn=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: policies pwdAttribute: userPassword pwdMaxAge: 7516800 pwdExpireWarning: 432000 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE while changing password on first login I got following error. WARNING: Your password has expired. You must change your password now and login again! Changing password for user prasad. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password is too young to change passwd: Permission denied Connection to myhost closed. Thanks in advance Meghanand N Acharekar. Hi, when you set 'pwdCheckQuality: 1', you require a module to actually check the quality of the password. See slapo-ppolicy(5) and look at the pwdPolicyChecker/pwdCheckModule parts. Hello After setting pwdReset TRUE in user attribute, i'm getting another error. LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Permission denied Connection to myhost closed. Is it mandatory to use this module if we want to enforce password policies. Any idea. Regards, Christian Manal
Re: PPolicy error.
Am 11.10.2010 15:25, schrieb Meghanand Acharekar: On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal moen...@informatik.uni-bremen.de wrote: Am 11.10.2010 14:41, schrieb Meghanand Acharekar: Hi, I am using ppolicy overlay to enforce password policies. Following is my ppolicy configuration/ldif. dn: cn=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: policies pwdAttribute: userPassword pwdMaxAge: 7516800 pwdExpireWarning: 432000 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE while changing password on first login I got following error. WARNING: Your password has expired. You must change your password now and login again! Changing password for user prasad. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password is too young to change passwd: Permission denied Connection to myhost closed. Thanks in advance Meghanand N Acharekar. Hi, when you set 'pwdCheckQuality: 1', you require a module to actually check the quality of the password. See slapo-ppolicy(5) and look at the pwdPolicyChecker/pwdCheckModule parts. Hello After setting pwdReset TRUE in user attribute, i'm getting another error. LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Permission denied Connection to myhost closed. Is it mandatory to use this module if we want to enforce password policies. Any idea. Regards, Christian Manal The 'Constraint violation' error means, that the new password does not conform to the quality requirements, or in your case, the quality could not be verified at all. As I said, if you want to use pwdCheckQuality: 1 you *need* a pwdCheckModule to run the password through, or you will always get a constraint violation. Regards, Christian Manal
Re: PPolicy error.
On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal moen...@informatik.uni-bremen.de wrote: Am 11.10.2010 15:25, schrieb Meghanand Acharekar: On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal moen...@informatik.uni-bremen.de wrote: Am 11.10.2010 14:41, schrieb Meghanand Acharekar: Hi, I am using ppolicy overlay to enforce password policies. Following is my ppolicy configuration/ldif. dn: cn=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: policies pwdAttribute: userPassword pwdMaxAge: 7516800 pwdExpireWarning: 432000 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE while changing password on first login I got following error. WARNING: Your password has expired. You must change your password now and login again! Changing password for user prasad. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password is too young to change passwd: Permission denied Connection to myhost closed. Thanks in advance Meghanand N Acharekar. Hi, when you set 'pwdCheckQuality: 1', you require a module to actually check the quality of the password. See slapo-ppolicy(5) and look at the pwdPolicyChecker/pwdCheckModule parts. Hello After setting pwdReset TRUE in user attribute, i'm getting another error. LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Permission denied Connection to myhost closed. Is it mandatory to use this module if we want to enforce password policies. Any idea. Regards, Christian Manal The 'Constraint violation' error means, that the new password does not conform to the quality requirements, or in your case, the quality could not be verified at all. As I said, if you want to use pwdCheckQuality: 1 you *need* a pwdCheckModule to run the password through, or you will always get a constraint violation. Okies, if I use simple password it prompts me as follows. WARNING: Your password has expired. You must change your password now and login again! Changing password for user test Enter login(LDAP) password: New UNIX password: BAD PASSWORD: it does not contain enough DIFFERENT characters New UNIX password: BAD PASSWORD: it is based on a dictionary word New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password fails quality checking policy By the way I found check_password.c file here https://ltb-project.org/svn/openldap-ppolicy-check-password/trunk/ I will compile it to generate check_password.so file and update you. Regards, Christian Manal
Re: PPolicy error.
Am 11.10.2010 16:06, schrieb Meghanand Acharekar: On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal moen...@informatik.uni-bremen.de wrote: Am 11.10.2010 15:25, schrieb Meghanand Acharekar: On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal moen...@informatik.uni-bremen.de wrote: Am 11.10.2010 14:41, schrieb Meghanand Acharekar: Hi, I am using ppolicy overlay to enforce password policies. Following is my ppolicy configuration/ldif. dn: cn=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: policies pwdAttribute: userPassword pwdMaxAge: 7516800 pwdExpireWarning: 432000 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE while changing password on first login I got following error. WARNING: Your password has expired. You must change your password now and login again! Changing password for user prasad. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password is too young to change passwd: Permission denied Connection to myhost closed. Thanks in advance Meghanand N Acharekar. Hi, when you set 'pwdCheckQuality: 1', you require a module to actually check the quality of the password. See slapo-ppolicy(5) and look at the pwdPolicyChecker/pwdCheckModule parts. Hello After setting pwdReset TRUE in user attribute, i'm getting another error. LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Permission denied Connection to myhost closed. Is it mandatory to use this module if we want to enforce password policies. Any idea. Regards, Christian Manal The 'Constraint violation' error means, that the new password does not conform to the quality requirements, or in your case, the quality could not be verified at all. As I said, if you want to use pwdCheckQuality: 1 you *need* a pwdCheckModule to run the password through, or you will always get a constraint violation. Okies, if I use simple password it prompts me as follows. WARNING: Your password has expired. You must change your password now and login again! Changing password for user test Enter login(LDAP) password: New UNIX password: BAD PASSWORD: it does not contain enough DIFFERENT characters New UNIX password: BAD PASSWORD: it is based on a dictionary word New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password fails quality checking policy I think the BAD PASSWORD messages are coming from your PAM stack. pam_cracklib, or something, may check the password quality, before passing it to pam_ldap. But that doesn't have anything to do with the quality checking of slapo-ppolicy. By the way I found check_password.c file here https://ltb-project.org/svn/openldap-ppolicy-check-password/trunk/ I will compile it to generate check_password.so file and update you. Regards, Christian Manal
problems updating from provider?
Openldap experts, I am currently running openldap 2.3.43 on a RedHat 5.5 system. I recently had to move one of my replication ldap servers to another box. After doing so, it won’t update from the provider any more. I had simply done a slapcat of the provider’s db into a ldif file and then slapadd it into the replication server. It runs fine and looks up data, but it won’t update any changes from the provider. I have a second replication server which works just fine with updates from the provider. So I am pretty sure the problem is with this replication server. I restored the configurations exactly as I had it previously when it was working. What might I be doing wrong? Does this suggest that I might have a permissions problem or perhaps a corrupt database? I can’t seem to find a permission difference between my two replications servers. Is it acceptable to simply do a slapadd –l filename.ldif or should I include other parameters when adding in the files from scratch? Note: the only file that exists in the ldap database directory is the DBCONFIG file when restoring the ldif. Below is a part of my syncrepl config in slapd.conf in case that helps. syncrepl rid=102 provider=ldaps://xxx.beloit.edu:636 type=refreshAndPersist interval=00:01:00:00 searchbase=dc=beloit,dc=edu filter=(objectclass=*) attrs=*,+ scope=sub schemachecking=off bindmethod=simple binddn=cn=Admin,dc=beloit,dc=edu I must be missing something. Any advice? Tim Tyler Network Engineer Beloit College
Re: support for arbitrary PKCS11 pin input method
Rich Megginson wrote: Silvan Marco Fin wrote: Hi! I searched through tls_m.c for means to enter the token PIN for a PKCS11 token. I found a call to PK11_SetPasswordFunc(). The callback is set to tlsm_pin_prompt(), which by itself uses tlsm_get_pin(). tlsm_get_pin() only supports reading the PIN from file or via STDIN. To be usable within any form of gui, there would have to be some method to pass a GUI callback to ask for the PIN. How would this work? Would you pass in a callback function with your private context, and this callback function would be called with the current MozNSS context + your provided context? What would be the possible return values from your callback? What should the code do depending upon each return value? Is there currently a way, via the OpenLDAP API, to pass in such a function and context? For what it's worth, we need to add this feature for sasl_interactive_bind as well. Thus far, for the ldap_sasl interface all of the callback parameters have been passed on the function invocation, as opposed to being set by a separate ldap_set_option(). It makes for a clunky function signature, but seems safest in terms of re-entrancy... Do you plan on implementing such a feature in the near future or is there a proposed way of setting such a callback method? Kind regards, Silvan -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/